Why are Discovered Item created without a Vulnerable item from Qualys Integration?

HelloCAD · ‎03-07-2025

I see that there are Discovered Items from Qualys integration that do not have an associated Vulnerable Item, and the CI is created for that Discovered Item (created from IRE).

I want to limit creation of new CIs so new CIs are not created for those Items that do not have an active Vulnerability.

Please let me know how to achieve this?

andy_ojha · ‎03-12-2025

Hey there - a similar post was made on this around the same time.

Sharing guidance here as well.

You can adjust the API Filter that ServiceNow uses when fetching Assets (via the Qualys Host List job) - to filter the Assets brought back from Qualys - to only those that have had vulnerabilities evaluated/processed on them.

This should help bring in assets for those that only have Detections/Vulnerable Items.

Do you have access to the NOW Support KB Articles?

This article outlines where to make the configuration change on the Qualys Host List Job, so that we filter/restrict which assets/hosts are fetched from the Qualys API:

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1324696
Qualys API has a neat filter called "vm_processed_after=" that you can use as the filter object (following the instructions from the KB above)
- "(Optional) Show hosts with vulnerability scan results processed after a certain date and time. Specify the date in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT), like “2016-09-12” or “2016-09-12T23:15:00Z”"
https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf

If you are looking to clean up the "unused" Discovered Item (i.e. not related to Detections or Vulnerable Items):

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1349923

Marc Hall · ‎06-20-2025

Hi Andy,

Is there anything similar for Rapid7 and Microsoft Defender for Endpoint?

Thx

andy_ojha · ‎06-20-2025

Hey Marc,

Yes there are filtering capabilities, similar to this for Rapid7 InsightVM and Microsoft TVM / Endpoint

Linking here to Docs/Community threads for both on the respective asset filtering for Rapid7 IVM:

- https://www.servicenow.com/community/secops-forum/filter-rapid7-data-based-on-asset-tags/m-p/3223337

- https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...

For Microsoft TVM, and filtering at the asset layer, it boils down to the `machine_filter` and the Microsoft "OData" Query:

- https://www.servicenow.com/community/secops-vr-forum-read-only/microsoft-threat-and-vulnerability-in...

- https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...

- Example: 'machine_filter: onboardingStatus eq 'Onboarded' and machineTags/any(tag: contains(tag, 'EU_'))"

For Microsoft TVM, filtering not just the assets, but detections on assets, it is a bit more involved (there is a KB article linked to this thread):
- https://www.servicenow.com/community/secops-forum/machine-filter-on-vulnerability-response-microsoft...